1 SYSTEM AND METHOD FOR MULTI-LEVEL MEMORY DOMAIN PROTECTION 
2 

3 BACKGROUND OF THE INVENTION 

4 1. Field of the Invention 

5 The present invention relates generally to systems and methods for 

6 implementing multi-level protection of memory domains, and more particularly 

7 to implementing N levels of memory domain protection on hardware that only 

8 supports two levels of memory domain protection. 
m 2. Discussion of Background Art 

||f Memory domain protections are a necessary part of any computer 

\% architecture. Traditionally, computer architectures have illustrated protection of 

12 memory domains with a set of concentric circles, i.e. memory domain rings, 

t§ centered around an operating system. The operating system controls access to a 

L& 

|i computer's peripheral devices, internal memory, and processing unit. The 

TB operating system controls the most trusted memory domain within a computer. 

16 Moving from the operating system outward, each memory domain ring represents 

17 a memory domain which is a less trusted than the memory domain which it 

18 encloses. Finally, at the outer periphery of the memory domain rings is a memory 

19 domain containing user code. User code consists of any number of application 

20 programs that a user typically interacts with directly via a keyboard or some input 

21 device. User code represents the least trusted memory domain within the 

22 computer. 
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1 Typically, a large portion of the operating system is written to protect the 

2 computer from blindly executing programming instructions contained in the less 

3 trusted memory domains. These protections however, not only increase the size 

4 of the operating system code but also severely slow down the computer's operation 

5 regardless of the level of trust from which the programming instructions 

6 originated. 

7 The memory domain ring concept recognizes the fact that some code is 

8 more trusted and thus need not be subject to rigorous operational checks by the 

W operating system. As a result, computer architectures implemented with memory 

10 domain rings may operate faster since more trusted code is spared protective 

lfl computer checks before the computer is commanded to perform various 

if operations. 

l$& The current memory domain ring concept, however, does not support cases 

14M where co-dependent applications are equally trusted, and thus the operating 

1$* system would still perform its rigorous checks that the co-dependent applications 

16 communicated with each other, even though such checks would be unnecessary. 

17 Additionally, only hardware implementations of the memory domain 

18 concept exist. Thus, to achieve three levels of memory domain protection, the 

19 computer's hardware must be set up specifically for three levels of protection. 

20 And, to achieve ten levels of memory domain protection, the computer's 

21 hardware must be set up specifically for ten levels of protection. Due to the 

22 expense and complexity of implementing such specific multi-level protection in 

23 hardware, only the most expensive or specialized of computers support more than 

2 



1 two levels of protection. The two levels support a most trusted memory domain 

2 for the operating system and a less trusted memory domain for user application 

3 programs. 

4 Today, with the increasing complexity of computer system operation and 

5 the tendency toward developing specialized software that is much more trusted 

6 than a typical user application, there is a need for a computer supporting multiple 

7 levels of memory domain protections without increasing the computer's 
& hardware complexity* 

§J More specifically, what is needed is a better system and method for 

lDJ implementing N levels of memory domain protection. 
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1 SUMMARY OF THE INVENTION 

2 The present invention is system and method for multi-level memory 

3 domain protection. The present invention enables the three levels of memory 

4 domain protection to be achieved on computer hardware that supports only two 

5 levels of protection. These three levels are created by first, defining a domain 

6 process, including an operating system, domain code and data, and user code and 

7 data. Next, a user process having the operating system, a reserved portion, and the 
gg user code and data is defined. While the operating system is protected from the 

. ipsa 

# domain code and data by normal two level hardware protections, the reserved 

l|H portion is a software construct which is created to protect the domain code from 

lJP the user code. By defining a reserved portion within the user process, a third level 

l$k of protection is created in hardware that supported only two levels of memory 
domain protection. The three memory domain levels are an operating system 

iff level, a domain level, and a user level. The operating system executes a context 

15 switch between the user process and the domain process at the request of either the 

16 user code or the domain code. These requests are executed by the operating system 

17 code using a handshake procedure. Any number of levels of memory domain 

18 protection may be implemented simply by creating additional domain processes 

19 and performing additional context switches. 

20 Within the system of the present invention, a user process executes user 

21 code that accesses user data and executes user-to-domain control transfer 

22 instructions. A domain process executes domain code that accesses domain data or 

23 user data and executes domain-to-user control transfer instructions or domain-to- 
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1 user data access instructions. The user code or the domain code that contains 

2 either the control transfer instructions or the data access instructions is called the 

3 calling-code. The user code or the domain code that the control transfer 

4 instructions or the data access instructions are transferring control to or accessing 

5 data from is called the target. The user-to-domain control transfer instructions 

6 and the domain-to-user control transfer instructions are maintained in call gates. 

7 Call gates implement the mechanism for transferring control from one 
ft protection level to another in the multiple level memory domain protections 

§3 architecture. A user call gate implements a control transfer from the user level to 

1CM the domain level. A domain call gate initiates a control transfer from the domain 

ll § level to the user level Data transfers, required by data access instructions, do not 

l|T require call gates. 

lfy A user call gate and a domain call gate are respectively added to the user 

1^= code and the domain code. A call gate may call the operating system via a system 

15 call to effect a level change. The operating system causes the level change by doing 

16 a context switch. A user-to-domain call gate will cause a context switch between a 

17 user process and a domain process, A domain-to user call gate will cause a context 

18 switch between a domain process and a user process. 

19 The circuit of the present invention is particularly advantageous over 

20 the prior art because it enables any number of memory domain protection 

21 levels to be implemented on hardware that only supports two levels of 

22 memory domain protection. 
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1 These and other aspects of the invention will be recognized by those 

2 skilled in the art upon review of the detailed description, drawings, and claims 

3 set forth below. 
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1 BRIEF DESCRIPTION OF THE DRAWINGS 

2 Figure 1 is a process group for implementing three levels of memory 

3 domain protection; 

4 Figure 2 is a process group for implementing four levels of memory domain 

5 protection; 

6 Figure 3 is a process group for implementing N levels of memory domain 

7 protection; 

§3 Figure 4 is a block diagram of a call gate memory map; 

93 Figure 5 is a flowchart for initializing a process group; 

1£H Figure 6 is a memory map of a target code-segment within the call gate; 

lfc Figure 7 is a memory map of target code-segment parameters passed to the 

12* target code-segment; 

13* Figure 8 is a program flow diagram for a user process to domain process 

lJP control transfer; 

15 Figure 9 is a flowchart for the program flow diagram of Figure 8; 

16 Figure 10 is a program flow diagram for a user process to domain process 

17 control transfer return; 

18 Figure 11 is a flowchart for the program flow diagram of Figure 10; 

19 Figure 12 is a program flow diagram for a domain process to user process 

20 control transfer; 

21 Figure 13 is a flowchart for the program flow diagram of Figure 12; 

22 Figure 14 is a program flow diagram for a domain process to user process 

23 control transfer return; 
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Figure 15 is a flowchart for the program flow diagram of Figure 14; 
Figure 16 is a program flow diagram for a domain process to user process 
data access; 

Figure 17 is a flowchart for the program flow diagram of Figure 16; 
Figure 18 is a program flow diagram for an inter-group context switch; and 
Figure 19 is a flowchart for the program flow diagram of Figure 18. 
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1 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

2 The present invention is designed as a set of computer-readable program 

3 instructions which controls how a processing unit within a computer (not shown) 

4 accesses, transforms and outputs data. The computer includes various well 

5 known devices for storing and executing the computer-readable program 

6 instructions. Those skilled in the art will recognize that the computer-readable 

7 program instructions could be stored and accessed from within various computer 

8 useable storage media, including a compact disk, a magnetic disk or a memory 
#j chip. How the computer-readable program instructions effect the present 

lfrj invention is discussed in detail below, 
l|j 

12 Figure 1 is a process group 100 for implementing three levels of memory 

13* domain protection on hardware that supports only two levels of protection (i.e. a 

lfK first hardware level and a second hardware level). The process group 100 is located 

IB in a computer's virtual address space (not shown) and includes a domain (d,u) 

16 process 102, and a user (u) process 104 of which only one can be operational at a 

17 given time. The variables d and u are used to refer to a specific domain code and a 

18 specific user code within the process group 100. Additionally, in virtual addressed 

19 cache architectures that support address space tags (ASTAGs), one ASTAG is 

20 preferably allocated to the domain process 102, and one to the user process 104. A 

21 program counter 106 is located within the computer's processing unit (not shown) 

22 and points to a next instruction to fetch from the virtual address space. Program 
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1 control within the computer is transferred by repositioning the program counter 

2 106. 

3 The domain process 102 includes an operating system 108, a domain (d) code 

4 and data 110, and a user (u) code and data 112. The user process 104 includes the 

5 operating system 108, a reserved area 114, and the user code and data 112. Each of 

6 the aforementioned processes 102, 104 and codes 108, 110, 112 are mapped into the 

7 virtual address space of the computer. Exemplary operating system codes 108 
& include, Windows NT and UNIX. Exemplary domain codes 110 include, web 

§0 server codes, firewall codes, and data base server codes. Exemplary user codes 112 

l|j include, word-processing codes, spreadsheet codes, and internet browsing codes. 

S 2 | 

ljj Domain (1) code 110, may be used to refer to a web server code, domain (2) code 

Ipi 110, may be used to refer to a firewall code, user (1) code 112 may be used to refer to 

IP* a word-processing code, and so on. 

Iff The operating system 108 and the user code and data 112 are the same in 

15 both processes 102 and 104 since each process 102, 104 merely represents a different 

16 context for viewing the same areas of computer memory. The operating system 

17 108 controls which process 102 or 104 is recognized at a given time by context 

18 switching between the two processes 102, 104. While in the domain process 102 

19 context, the domain code 110 is executing and has visibility into the user code and . 
20 : data 112. However, while in the user process 104 context, the user code 112 is 

21 executing and does not have visibility into the domain code and data 110, which 

22 the user code 112 only sees as a reserved area 114. Since the area 114 is perceived as 

23 reserved by the user code 112, the domain code and data 110 residing in the 
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1 reserved area 114 is protected from the user code 112. Protection is defined as a 

2 computer protocol that permits code in an inner domain ring (i.e. a more trusted 

3 code) an ability to read data from, write data to, or execute code within a memory 

4 domain at an outer domain ring (i.e. a less trusted code), but restricts the code in 

5 the outer domain ring to only executing the code within the memory domain of 

6 the inner domain ring. 

7 The present invention enables the three levels of memory domain 
protection to be achieved on hardware that supports only two levels of protection 

9S by first creating the domain process 102 context and the user process 104 context. 

KFy When the domain code 110 is executing, the program counter 106 must be in the 

lljf domain process 102 context. Within the domain process 102 context, the operating 

12^ system 108 is protected from the domain code 110 by normal two level hardware 

13^ protections. When the user code 112 is executing, the operating system 108 must 

143 place the program counter 106 in the user process 104 context. Within the user 

15 process 104 context, the operating system 108 is protected from the user code 112 by 

16 normal two level hardware protections, and the domain code and data 110 is 

17 protected from the user code 112 by the reserved area 114. The reserved area 114 is 

18 a software construct which conceals the domain code and data 110 from the user 

19 code 112, thus creating a third level of protection in hardware that supports only 

20 two levels of memory domain protection. The three resultant levels of memory 

21 domain protection are: an operating system level, a domain code level, and a user 

22 code level. 
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1 Control transfer and data access by the user code 112 (at one level) and the 

2 domain code 110 (at another level) are achieved using a process of context 

3 switching, to be discussed in detail below. In some cases, the control transfer or the 

4 data access requires that the operating system 108 context switch between the user 

5 process 104 and the domain process 102, in what is called an mfra-group context 

6 switch. In other cases, the control transfer or the data access requires that the 

7 operating system 108 context switch between a first process group (such as process 
§^ group 100 where d=l and u=l) and a second process group (such as process group 
9jj$ 100 where d=l and u=2), in what is defined as an inter-group context switch. 

Iffy Those skilled in the art will recognize how to program both the intra-group 

lif context switch and the inter-group context switch. 

12^ Any number of levels of memory domain protection may be implemented 

li* simply by creating additional domain processes and performing additional context 

1CJ switches, as will be shown with respect to Figures 2 and 3. 

15 In the present invention, three levels of protection are implemented using 

16 a protocol which: 

17 1) permits the operating system 108 to read data from, write data to, or 

18 execute code anywhere within any domain 110 or user 112; 

19 2) permits the domain code 110 to execute code within (using a system call), 

20 but not to read data from or write data to the operating system 108; 

21 3) permits the domain code 110 to read data from, write data to, or execute 

22 code anywhere within either a domain at the same protection level, or any user; 
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4) permits the user code 112 to execute code within (using a system call), but 
not to read data from or write data to the operating system 108 and the domain 110; 
and 

5) restricts the user code 112 from reading data from, writing data to, or 
executing code within any other user. 

Figure 2 is a process group 200 for implementing four levels of memory 
domain protection on hardware that supports only two levels of protection (i.e. a 
first hardware level and a second hardware level). The process group 200 is located 
in a computer's virtual address space (not shown) and includes a level II domain 
(d 2/ d 17 u) process 202, a level I domain (d^u) process 204, and a user (u) process 206 
of which only one can be operational at a given time. The variables d 2/ d a and u 
are used to refer to specific domain codes and a specific user code within the 
process group 200. 

The level II domain process 202 includes operating system 208, level II 
domain (dj) code and data 210, level I domain (d^ code and data 212, and user (u) 
code and data 214. The level I domain process 204 includes operating system 208, a 
first reserved area 216, level I domain (d,) code and data 212, and user (u) code and 
data 214. The user (u) process 206 includes operating system 208, the first reserved 
area 216, a second reserved area 218, and user (u) code and data 214. 

The operating system 208 and the user 214 are the same in all processes 202, 
204 and 206 since each process 202, 204 and 206 merely represents a different 
context for viewing the same areas of computer memory. The operating system 
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208 controls which process 202, 204 or 206 is recognized at a given time by context 
switching between the processes 202, 204 and 206. The computer system's 
hardware places the operating system 208 at a first level of protection. 

While in the level II domain process 202 context, the level II domain code 
210 is executing and has visibility into the level I domain code and data 212 and 
the user code and data 214. The level n domain process 202 context enables the 
level II domain code and data 210 to be at a second level of protection. 

While in the level I domain process 204 context, the level I domain code 212 
is executing and does not have visibility into the level II domain code and data 
210, which the level I domain code 212 only sees as the first reserved area 216. 
Since the area 216 is perceived as reserved by the level I domain code 212, the level 
II domain code and data 210 residing in the first reserved area 216, it is protected 
from the level I domain code 212. Thus, the level I domain process 204 context 
enables the level I domain code and data 212 to be at a third level of protection. 

Similarly, while the user process 206 context, the user code 214 is executing 
and does not have visibility into either the level II domain code and data 210 or 
the level I domain code and data 212, which the user code 214 respectively only 
sees as the first reserved area 216 and the second reserved area 218. Since these 
areas 216 and 218 are perceived as reserved by the user code 214, the level II 
domain code and data 210 residing in the first reserved area 216 and the level I 
domain code and data 212 residing in the second reserved area 218 are protected 
from the user code 214. The user process 206 context thus enables the user code 
and data 214 to at a fourth level of protection. 
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1 The four levels of protection are implemented using a protocol which: 

2 1) permits the operating system 208 to read data from, write data to, or 

3 execute code anywhere within any level II domain 210, level I domain 212, or user 

4 214; 

5 2) permits the level II domain code 210 to execute code within (using a 

6 system call), but not to read data from or write data to the operating system 208; 

7 3) permits the level II domain code 210 to read data from, write data to, or 

8 execute code anywhere within any level II domain 210, level I domain 212 or user 
£ 214; 

itfjj 4) permits the level I domain code 212 to execute code within (using a 

1 ft system call), but not to read data from or write data to either the operating system 

if 208 or the level II domain 210; 

1$^ 5) permits the level I domain code 212 to read data from, write data to, or 

14J execute code anywhere within any level I domain 212 or user 214; 

1^ 6) permits the user code 214 to execute code within (using a system call), but 

16 not to read data from or write data to either the operating system 208, the level II 

17 domain 210, or the level I domain 212; and 

18 7) restricts the user code 214 from reading data from, writing data to, or 

19 executing code within any other user 214. 

20 All of the other discussion relating to the process group 100 apply, after 

21 being appropriately scaled, to the process group 200. 
22 
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1 Figure 3 is a process group 300 for implementing N levels of memory 

2 domain protection, where N is any integer number. The process group 300 is 

3 located in a computer's virtual address space (not shown) and includes a level N-2 

4 domain (d (Dr2y ...,d v u) process 302, various intermediate level domain processes 

5 (represented throughout by the symbol ...), a level I domain (d v u) process 304, and 

6 a user (u) process 306, The level N-2 domain process 302 includes operating 

7 system 308, level N-2 domain (d <n-2) ) code and data 310, various intermediate level 

8 domain processes, level I domain (d a ) code and data 312, and user (u) code and data 
Sfe 314. The level I domain process 304 includes the operating system 308, an (n-2)th 

IGji reserved area 316, various intermediate level reserved areas, the level I domain 

11SJ (d t ) code and data 312, and the user (u) code and data 314. The user (u) process 306 

llP 1 includes the operating system 308, the (n-2)th reserved area 316, the various 

13 s * intermediate level reserved areas, a first reserved area 318, and the user (u) code 

lCj and data 314. 

1EU All of the other discussion relating to the process group 200 applies, after 

16 being appropriately scaled, to the process group 300. 

17 

18 In the discussion that follows, only implementation of the process group 

19 100 is discussed. After studying the information contained within this 

20 specification, those skilled in the art will recognize how to build and implement 

21 process groups having N-levels of protection. 
22 
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1 Figure 4 is a block diagram of a call gate memory map 400. The call gate 400 

2 provides a mechanism for both the domain code 110 in the domain process 102 

3 and the user code 112 in the user process 104 to access either the operating system 

4 108, the domain code and data 110, or the user code and data 112. One call gate 400 

5 is created for each set of calling-code 110 or 112 and each target 110 or 112. The 

6 calling-code is defined as either the user code 112 or the domain code 110 that 

7 initiates a request to access another set of code and data 110 or 112. The target is 

8 defined as either the user code and data 112 or the domain code and data 110 that is 
<fc accessed by the calling-code 110 or 112. 

1(5 The call gate 400 includes data fields containing a first target code-segment 

1 W 402, a second target code-segment 404, and a kth target code-segment 406. Each 

if 1 target code-segment 402, 404, 406 corresponds to a unique control transfer link 

it? between a particular set of calling-code and a particular target. Each of the target 

l{j code-segments 402, 404, and 406 are initialized by the operating system 108 at the 

IP request of the calling-code. In response to such a request, the operating system 108 

16 creates two target code-segments. The first target code-segment is inserted in the 

17 calling-code's call gate 400 and specifies operations for linking the calling-code to 

18 the target. The second target code-segment is inserted in the target's call gate 400 

19 and specifies operations for returning from the target to the calling-code. For 

20 instance, if domain code 110 has a control transfer link to user code and data 112, 

21 then domain code 110 will have within its call gate 400 a target code-segment for 

22 accessing the user code and data 112, and user code 112 will have within its call 

23 gate 400 a target code-segment for returning back to the domain code 110. 
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1 

2 Figure 5 is a flowchart for initializing a process group 100. The method 

3 begins in step 502 where the operating system 108 receives a request from calling- 

4 code in a calling-code process to connect to a target. Next, in step 504, the operating 

5 system 108 generates, from a template, a call gate 400 containing a target code- 

6 segment 402, 404, 406. In step 506, the operating system 108 adds it to the call gate 

7 400 and the target code-segment 402, 404, 406 into the calling-code. The operating 

8 system 108 creates a target process for the target, if the target process is not already 
Sg in existence, in step 508. Next in step 510, the operating system 108 performs an 

10/t intra-group context switch from the calling-code process to the target process. In 

l£j step 512, the operating system 108 generates another call gate 400 containing 

1231 another target code-segment 402, 404, 406 from a template. The operating system 

it* 108 inserts the call gate and the target code-segment into the target in step 514. 

14T: After step 514, the process of initializing the process group 100 is complete, 
if? 

16 Figure 6 is a memory map of a target code-segment 600 within the call gate 

17 400. The target code-segment 600 includes data fields containing a target code- 

18 segment address 602, an Interface Definition Language (IDL) description of 

19 arguments 604, linking-code 606, and a calling-code return state 608. The target 

20 code-segment address 602 corresponds to an address where the target is first 

21 accessed by the calling-code. The IDL description of arguments 604 is used when 

22 the calling-code must access the target over a network. This is called a remote call. 

23 In contrast, local calls, where both the calling-code and the target are on the same 
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1 computer, do not use the IDL description of arguments 604. The IDL description of 

2 arguments 604 identifies a data type, such as integer, real number, text, etc., for any 

3 arguments (see Figure 7) that the calling-code passes to the target. The linking- 

4 code 606 is executed by the calling-code, and transfers control to the operating 

5 system 108 to perform either an intra-group or inter-group context switch. The 

6 linking-code 606 then resumes control and accesses either the code or data at the 

7 target code-segment address 602. The calling-code return state 608 contains 

8 information on how to restore the calling-code's configuration after the target 
M gives up control of the program counter 106, but before the calling-code obtains 

loS program counter 106 control. The calling-code return state 608 is executed by the 

Vb4 operating system 108, 

If 1 

lj* Figure 7 is a memory map of target code-segment parameters 700 passed to 

33SSS 

l|5 the target linking code 606. The target code-segment parameters 700 are generated 

lE by and passed from the calling-code to the call gate 400 when a gate call to the 

16 linking code 606, in a selected target code-segment 600, is requested by the calling- 

17 code. The target code-segment parameters 700 include data fields containing a 

18 target code-segment identifier 702 and a set of arguments 704. The target code- 

19 segment identifier 702 identifies which target code-segment 402, 404, or 406 that the 

20 calling-code is to access. The arguments 704 consist of any information that the 

21 calling-code passes to the target so that the target will have the information needed 

22 to complete any operation that the calling-code requested of the target. 
23 
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1 Figure 8 is a program flow diagram for a user process 104 to domain process 

2 102 control transfer within process group 100. Figure 9 is a flowchart for the 

3 program flow diagram of Figure 8. Figures 8 and 9 are two different 

4 representations of the same process and so will be discussed simultaneously. The 

5 user-to-domain control transfer begins in step 902, when the program counter 106 

6 references an instruction, as shown by line 802, in the user code 112 within a user 

7 process 104, calling for execution of targeted domain code 110 within a domain 

8 process 102. In this control transfer, the user code 112 is the calling-code and the 
S domain code 110 is the target. Next in step 904, the calling user code 112 identifies 

1 jj a set of arguments 704 and a target code-segment identifier 702 before causing 

1>J program control to branch, as shown by line 804, from the user code 112 to a call 

if' gate 806 target code-segment, specified by the target code-segment identifier 702. 

l9 The call gate 806 resides within the user code 112. In step 906, the linking-code 606 

lJS in the target code-segment is executed and program control is transferred to, as 

5 shown by line 808, the operating system 108 in the user process 104. The linking- 

16 code 606 instructs the operating system 108 to both route program control to the 

17 code specified by the target code-segment identifier 702 and to pass the arguments 

18 704 to the target. The operating system 108 then performs an intra-group context 

19 switch, as shown by line 810, from the user process 104 to the domain process 102 

20 in step 908. If the intra-group context switch, as shown by line 810, required a 

21 connection across a network (not shown) the IDL description of arguments 604 

22 would also have been passed to the operating system 108 in the domain process 

23 102. In step 910, program control is transferred to, as shown by line 812, a call gate 
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1 814 target code-segment corresponding to the user code 112* The call gate 814 

2 resides within the domain code 110. Next in step 912, the linking-code 606 in the 

3 call gate 814 causes program control to branch, as shown by line 816, to the targeted 

4 domain code 110. Alternatively, program control may have directly entered the 

5 targeted domain code since the operating system 108 has direct access privileges to 

6 all domain and user code. After step 912, the domain code 110 then executes the 

7 targeted domain code in step 914. Next in step 916 after the domain code 110 has 

8 finished executing, the linking-code 606 in the call gate 814 executes a user-to- 
^ domain control transfer return. The user-to-domain control transfer return is 

ICR further described with respect to Figures 10 and 11. After step 916, the user-to- 

If? ; 

Vbi domain control transfer is complete. 

lip Since the domain and operating system codes may service more than one 

l|* user, use of the call gates 806, 814 prevent the user code from anonymously 

lti accessing the domain code or the operating system code. The call gates 806, 814 

lfE also inform the operating system and domain code to which user process to return 

16 to after executing the user's control transfer. Also, each user code 112 preferably 

17 can only access domain code in the currently active process group 100. For 

18 example, user (u) code 112 may only access domain (d) code 110, if the user (u) code 

19 is within the process group where domain (d) code is currently active. User (u) 

20 code 112 may not access domain (d+1) code, unless the user (u) code is within a 

21 process group where domain (d+1) code currently active. 
22 
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1 Figure 10 is a program flow diagram for a user process 104 to domain process 

2 102 control transfer return within process group 100. Figure 11 is a flowchart for 

3 the program flow diagram of Figure 10. Figures 10 and 11 are two different 

4 representations of the same process and so will be discussed simultaneously. The 

5 user-to-domain control transfer return begins in step 1102 as the program counter 

6 106 references an instruction, as shown by line 1002, in the domain code 110 

7 within a domain process 102, commanding return to calling user code 112 within a 

8 user process 104. In this control transfer return, the user code 112 is still the 

9j calling-code and the domain code 110 is still the target. Next in step 1104, program 

Wi control returns, as shown by lines 1004 from the targeted domain code 110 to the 

ifi call gate 814 target code-segment corresponding to the calling user code 112. At this 

lif ; time any return arguments 704 are also passed to the call gate 814 . In step 1106, the 

13^ linking-code 606 in the target code-segment is executed and program control is 

I s * 

liy transferred to, as shown by line 1006, the operating system 108 in the domain 

1<H process 102. The operating system 108 then performs an intra-group context 

16 switch, as shown by line 1008, from the domain process 102 to the user process 104 

17 in step 1108. In step 1110, program control is transferred to, as shown by line 1010, 

18 the call gate 806 target code-segment in the user code 112, corresponding to the 

19 domain code 110. Next in step 1112, the linking-code 606 in the call gate 806 places 

20 the calling user code 112 in the calling-code return state 608. The return state is the 

21 state which the user code 112 was in before the user code 112 made the user-to- 

22 domain control transfer described in Figures 8 and 9. In step 1114 the linking-code 

23 606 causes program control to return, as shown by line 1012, to the calling user 
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1 code 112. The calling user code 112 then resumes execution in step 1116. After step 

2 1116, the user-to-domain control transfer return is complete. 
3 

4 Figure 12 is a program flow diagram for a domain process 102 to user process 

5 104 control transfer within process group 100. Figure 13 is a flowchart for the 

6 program flow diagram of Figure 12. Figures 12 and 13 are two different 

7 representations of the same process and so will be discussed simultaneously. The 

8 domain-to-user control transfer begins in step 1302 as the program counter 106 
90 references an instruction, as shown by line 1202, in the domain code 110 within a 

itj* domain process 102, calling for execution of targeted user code 112, within a user 

lit process 104. In this control transfer, the domain code 110 is the calling-code and 

12 the user code 112 is the target. Next in step 1304, the calling domain code 110 

li* identifies a set of arguments 704 and a target code-segment identifier 702 before 

ljgj causing program control to branch, as shown by line 1204, from the domain code 

15 110 to a call gate 814 target code-segment, specified by the target code-segment 

16 identifier 702. In step 1306, the linking-code 606 in the target code-segment is 

17 executed and program control is transferred to, as shown by line 1206, the 

18 operating system 108 in the domain process 102. The linking-code 606 instructs the 

19 operating system 108 to both route program control to the code specified by the 

20 target code-segment identifier 702 and to pass the arguments 704 to the target. The 

21 operating system 108 then performs an intra-group context switch, as shown by 

22 line 1208, from the domain process 102 to the user process 104 in step 1308. If the 

23 intra-group context switch, as shown by line 1208, required a connection across a 
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1 network (not shown) the IDL description of arguments 604 would also have been 

2 passed to the operating system 108 in the user process 104. In step 1310, program 

3 control is transferred to, as shown by line 1210, a call gate 806 target code-segment 

4 corresponding to the domain code 110. Next in step 1312, the linking-code 606 in 

5 the call gate 806 causes program control to branch, as shown by line 1212, to the 

6 targeted user code 112. Alternatively, program control may have directly entered 

7 the targeted user code since the operating system 108 has direct access privileges to 
8_ all user and domain code. After step 1212, the user code 112 then executes the 

f! targeted user code in step 1314. Next in step 1316 after the user code 112 has 

if! finished executing, the linking-code 606 in the call gate 806 executes a domain-to- 

IW user control transfer return. The domain-to-user control transfer return is further 

It described with respect to Figures 14 and 15. After step 1316, the domain-to-user 

l|f control transfer is complete. 

l|y In contrast to the control transfers that the user code 112 is permitted to 

15° make, the domain code 110 can access user code, or same level domain code, in 

16 any process group. For example, domain (d) code 110 may access user (u) code 112, 

17 user (u+1) code, user (u+2) code, and so on. Level I domain (d) code 110 may also 

18 access other level I domain codes, such as domain (d) code 110, domain (d+1) code, 

19 domain (d+2) code, and so on. When the domain code 110 access either a user 

20 code or a domain code that is not within the currently active process group, then 

21 the operating system 108 simply makes a context switch to a process group 

22 containing the code to be accessed. 
23 
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1 Figure 14 is a program flow diagram for a domain process 102 to user process 

2 104 control transfer return, within process group 100. Figure 15 is a flowchart for 

3 the program flow diagram of Figure 14. Figures 14 and 15 are two different 

4 representations of the same process and so will be discussed simultaneously. The 

5 domain-to-user control transfer return begins in step 1502 as the program counter 

6 106 references an instruction, as shown by line 1402, in the user code 112 within a 

7 user process 104, commanding return to calling domain code 110 within a domain 

8 process 102. In this control transfer return, the domain code 110 is still the calling- 
S code and the user code 112 is still the target. Next in step 1504, program control 

lfi returns, as shown by line 1404 from the targeted user code 112 to the call gate 806 

ill target code-segment corresponding to the calling domain code 110. At this time 

li* any return arguments 704 are also passed to the call gate 806. In step 1506, the 

£ linking-code 606 in the target code-segment is executed and program control is 

M transferred to, as shown by line 1406 the operating system 108 in the user process 

j§ 104. The operating system 108 then performs an intra-group context switch, as 

16 shown by line 1408, from the user process 104 to the domain process 102 in step 

17 1508. In step 1510, program control is transferred to, as shown by line 1410 the call 

18 gate 814 target code-segment in the domain code 110, corresponding to the user 

19 code 112. Next in step 1512, the linking-code 606 in the call gate 814 places the 

20 calling domain code 110 in the calling-code return state 608. The return state is the 

21 state which the domain code 110 was in before the domain code 110 made the 

22 domain-to-user control transfer described in Figures 12 and 13. In step 1514 the 

23 linking-code 606 causes program control to return, as shown by line 1412, to the 
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1 calling domain code 110. The calling domain code 110 then resumes execution in 

2 step 1516. After step 1516, the domain-to-user control transfer return is complete. 
3 

4 Figure 16 is a program flow diagram for a domain process 102 to user process 

5 104 data access within process group 100. Figure 17 is a flowchart for the program 

6 flow diagram of Figure 16. Figures 16 and 17 are two different representations of 

7 the same process and so will be discussed simultaneously. The domain-to-user 

8 data access begins in step 1702 as the program counter 106 references an 

9§ instruction, as shown by line 1602, in the domain code 110 within a domain 

l6j process 102, calling for a data access from the targeted user data 112. In this control 

ljj[ transfer, the domain code 110 is the calling-code and the user data 112 is the target. 

12 Next in step 1704, the domain code 110 directly accesses, as shown by line 1604, the 

1^= data located in the user data 112. No call gates are used. Program control remains 

14^ with the domain code 110 during the whole data access operation. In step 1706, the 

\f domain code 110 resumes execution. After step 1706, the domain-to-user data 

16 access is complete. Data access privileges are the same as for the control transfer 

17 privileges discussed above, with the exception that user code may not access 

18 domain data. Thus, the domain code 110 can access user code, or same level 

19 domain code, in any process group, but the user code may not access data in either 

20 the domain code or the operating system code even within the user code's own 

21 process group. 
22 
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1 If a domain code is executing within a process group that does not contain a 

2 desired user code or data, an inter-group context switch to a process group 

3 containing the desired user code or data is required, before performing either a 

4 control transfer or data access operation. An inter-group context switch will now 

5 be discussed. 
6 

7 Figure 18 is a program flow diagram for an inter-group context switch 

8 between process group 100 and a second process group 1802. The second process 
<Ji group 1802 implements three levels of memory domain protections and bears 

l(j3 similar characteristics to the process group 100 discussed above. The second 

ljN process group 1802 includes a domain (d 2/ u 2 ) process 1804, and a user (u 2 ) process 

li u 1806. The domain (d 2 ,u 2 ) process 1804 includes the operating system 108, a domain 

l£ (d 2 ) code 1808, and a user (u 2 ) code 1810. The user (u 2 ) process 1806 includes the 

IfU operating system 108, a reserved area 1814, and the user (u 2 ) code 1810. Notice that 

IP the same operating system 108 is present in all process groups 100, 1802. The 

16 variables d 2 and represent different sets of domain code and user code that are 

17 supported by the same operating system 108. 
18 

19 The following discussion is to be interpreted in light of the previous 

20 discussion of Figures 8 through 17. The key difference between the discussion to 

21 follow and the previous discussion is that an infer-group context switch 1820 

22 occurred instead of the inira-group context switches previously discussed. Other 
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1 than this difference, the code and data access steps remain the same and so are not 

2 repeated here. 
3 

4 Figure 19 is a flowchart for the program flow diagram of Figure 18. Figures 

5 18 and 19 are two different representations of the same process and so will now be 

6 discussed simultaneously. The process group context switch begins in step 1902 as 

7 the program counter 106 references an instruction, as shown by line 1818, 

8 executing the calling-code (i.e. the domain code 110 within the domain process 

$3 102) in process group 100 calling for either execution of the target's code or access to 

1(J! the target's data in the second process group 1802. As discussed above, only the 

lHJ domain code 110 can be the calling-code, since the user code 112 cannot cause an 

1W inter-group context switch. In other words, domain-to-user control transfer and 

1|* data access instructions may result in an inter-group context switch, but user-to- 

1C domain control transfer instructions may only result in an intra-group context 

if? switch. Next in step 1904, the calling-code instructions program control to branch 

16 to the call gate 814 target code-segment corresponding to either the targeted code or 

17 the targeted data. The linking-code 606 in the target code-segment then instructs 

18 the program control to enter the operating system 108, in step 1906. In step 1908, 

19 the operating system 108 performs an inter-group context switch, as shown by line 

20 1820, from the process group 100 to the second process group 1802. Next in step 

21 1910, the operating system 108 cause the program flow to enter a call gate 1812 or 

22 1816 target code-segment in the target (i.e. either the domain (cy code 1808 or the 

23 user (Uj) code 1810) corresponding to the calling-code. Program control then 
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1 branches to the target and executes either the targeted code or access the targeted 

2 data, in step 1912. In step 1914, after program control has returned to the call gate 

3 1812 or 1816, the linking-code 606 in the call gate executes a second process group 

4 1802 to process group 100 return in a similar manner to other returns described 

5 above, except that another inter-group context switch must be performed. 
6 

7 While the present invention has been described with reference to a 

8 preferred embodiment, those skilled in the art will recognize that various 

23 modifications may be made. Variations upon and modifications to the preferred 

18p embodiment are provided by the present invention, which is limited only by the 

iri following claims. 
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